I'm currently looking into how we should remove expired certificates from Azure Multi-Factor Auth Client, and properly cleanup the old certificates with Microsoft Graph PowerShell cmdlets.
Before the MSOnline PowerShell module got deprecated it was possible using,
Remove-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -KeyIds <Insert KeyID here>
I've looked up the corresponding command from Microsoft Graph PowerShell - Find MSOnline cmdlets in Microsoft Graph PowerShell - and found that it should be Remove-MgServicePrincipalKey.
I've tried with the following syntax,
$servicePrincipalId = (Get-MgServicePrincipal -Filter "appid eq '981f26a1-7f43-403b-a875-f8b09b8cd720'").Id
Remove-MgServicePrincipalKey -ServicePrincipalId $servicePrincipalId -KeyId <Insert KeyID here>
That gives me this output,
Remove-MgServicePrincipalKey : Insufficient privileges to complete the operation.
Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-05-05T13:06:37
...
And when searching on that I've come to that it should be because that Azure Multi-Factor Auth Client is a Microsoft party application, and that a proof or proof-of-possession is needed for it to be possible to remove certificates.
This is here where I get stuck with my knowledge, as I cannot figure out how I should make that proof correctly to be used for this purpose. Does anybody know how that should be done to work with this case?
I believe you need to use -proof nad supply a token signed by one of the current credentialkeys to use add- or remove- for MgServicePrincipalKey.
I instead used
Connect-MgGraph -Scopes 'Application.ReadWrite.All'
$sp = Get-MgServicePrincipal -Filter "appid eq '981f26a1-7f43-403b-a875-f8b09b8cd720'"
$servicePrincipalId = $sp.Id
$keyCredentials = sp.KeyCredentials
$newKeyCredentials = $keyCredentials[0,1,4,5] # index of whichever credentials should be kept
Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -KeyCredentials $newKeyCredentials
which just removes your unwanted credentials.
There is however a bug in the Microsoft.Graph powershell module version 2.27 regarding the Update-MgServicePrincipal command, so if you are on that version you need to downgrade (or upgrade when they fix the bug).
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3305